NY Times FakeAv Banner Ads Certainly not New

The banner ads allegedly rotating through the NY Times website over the weekend delivered FakeAv/Rogueware from servers that have been delivering the same stuff since around July 19th. The current Url over the weekend was protection-check07. com, but it changes frequently.

The ThreatFire community has seen this stuff effectively prevented on desktops using a variety of names since the servers have been delivering the FakeAv, also known as Downloader.MisleadApp, Trojan.Fakeavalert, XPAntivirus and Trojan:Win32/FakeXPA. Here are just a few of the resource variations that ThreatFire has identified over the past few months:

These servers are hosted in Germany, the Netherlands, and Cyprus, but their victims are located throughout the world. In this case, potentially where-ever NY Times readers may be located. Be sure to add a behavioral based security solution to your system. The banner ads seem to have been acted on quickly, as there has been no additional reports and there have been no further identifiable malicious banners.